Merge #228

228: Strip strategic merge patch annotations r=mkmik a=mkmik Closes #227 Co-authored-by: Marko Mikulicic <[email protected]>
bitnami-labs · Aug 29, 2019 · ec80fce · ec80fce
2 parents 4c6ea3b + 02a421c
commit ec80fce
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 0 deletions.
diff --git a/pkg/apis/sealed-secrets/v1alpha1/sealedsecret_expansion.go b/pkg/apis/sealed-secrets/v1alpha1/sealedsecret_expansion.go
@@ -80,6 +80,19 @@ func NewSealedSecretV1(codecs runtimeserializer.CodecFactory, pubKey *rsa.Public
 	return s, nil
 }
 
+func StripLastAppliedAnnotations(annotations map[string]string) {
+	if annotations == nil {
+		return
+	}
+	keys := []string{
+		"kubectl.kubernetes.io/last-applied-configuration",
+		"kubecfg.ksonnet.io/last-applied-configuration",
+	}
+	for _, k := range keys {
+		delete(annotations, k)
+	}
+}
+
 // NewSealedSecret creates a new SealedSecret object wrapping the
 // provided secret. This encrypts only the values of each secrets
 // individually, so secrets can be updated one by one.
@@ -103,6 +116,13 @@ func NewSealedSecret(codecs runtimeserializer.CodecFactory, pubKey *rsa.PublicKe
 	}
 	secret.ObjectMeta.DeepCopyInto(&s.Spec.Template.ObjectMeta)
 
+	// the input secret could come from a real secret object applied with `kubectl apply` or similar tools
+	// which put a copy of the object version at application time in an annotation in order to support
+	// strategic merge patch in subsequent updates. We need to strip those annotations or else we would
+	// be leaking secrets in clear in a way that might be non obvious to users.
+	// See https://github.com/bitnami-labs/sealed-secrets/issues/227
+	StripLastAppliedAnnotations(s.Spec.Template.ObjectMeta.Annotations)
+
 	// RSA-OAEP will fail to decrypt unless the same label is used
 	// during decryption.
 	label, clusterWide, namespaceWide := labelFor(secret)

diff --git a/pkg/apis/sealed-secrets/v1alpha1/sealedsecret_test.go b/pkg/apis/sealed-secrets/v1alpha1/sealedsecret_test.go
@@ -411,6 +411,49 @@ func TestSealRoundTripWithMisMatchNamespaceWide(t *testing.T) {
 	}
 }
 
+func TestSealMetadataPreservation(t *testing.T) {
+	scheme := runtime.NewScheme()
+	codecs := serializer.NewCodecFactory(scheme)
+
+	SchemeBuilder.AddToScheme(scheme)
+	v1.SchemeBuilder.AddToScheme(scheme)
+
+	key, _ := generateTestKey(t, testRand(), 2048)
+
+	testCases := []struct {
+		key       string
+		preserved bool
+	}{
+		{"foo", true},
+		{"foo.bar.io/foo-bar-baz", true},
+		{"kubectl.kubernetes.io/last-applied-configuration", false},
+		{"kubecfg.ksonnet.io/last-applied-configuration", false},
+	}
+
+	for _, tc := range testCases {
+		secret := v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:        "myname",
+				Namespace:   "myns",
+				Annotations: map[string]string{tc.key: "test value"},
+			},
+			Data: map[string][]byte{
+				"foo": []byte("bar"),
+			},
+		}
+
+		ssecret, err := NewSealedSecret(codecs, &key.PublicKey, &secret)
+		if err != nil {
+			t.Fatalf("NewSealedSecret returned error: %v", err)
+		}
+
+		_, got := ssecret.Spec.Template.Annotations[tc.key]
+		if want := tc.preserved; got != want {
+			t.Errorf("key %q: exists: %v, expected to exist: %v", tc.key, got, want)
+		}
+	}
+}
+
 func TestUnsealingV1Format(t *testing.T) {
 	scheme := runtime.NewScheme()
 	codecs := serializer.NewCodecFactory(scheme)